-
Extensive IOS hacking guide released by Security Innovation
Security Innovation has published a very extensive guide to IOS hacking that's worth checking out. Here's the table of contents 1. Setting Up iOS Pentest Lab……………… 51.1 Get an iOS Device……………….5 1.2 Jailbreaking an iOS Device……………… 7 1.3 Installing Required Software and Utilities ……………… 102. Acquiring iOS Binaries……………… 133. Generating iOS Binary (.IPA file) from…
-
My experience with developer security training
I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement developer focused…
-
Five pieces of advice for those new to the infosec industry
I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large ones, are…
-
NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad
NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they've created vulnerable code test cases for much of MITRE's CWE project in Java and c/c++. From the README "This archive contains test cases intended for use by organizations and individuals that wish to…
-
Improving ASP.NET Security with Visual Studio 2010 Code Analysis
Sacha Faust has published a great article on some of the security checking functionality in Visual Studio. From the article "Anyone doing ASP.NET development probably admits, openly or not, to introducing or stumbling upon a security issue at some point during their career. Developers are often pressured to deliver code as quickly as possible, and…
-
New Site Addressing Python Security
For you python developers out there, Craig Younkins sent the following to The Web Security Mailing List (which I moderate) this morning. "I'd like to invite you to a new community – http://www.pythonsecurity.org/ –which is now the central hub for security in Python. We're writing articleson security topics and how they pertain to Python, analyzing…
-
A reminder as to why using random salts is a good idea
I came across a post on stackoverflow that I felt was worth mentioning. The person was wanting to hash user passwords and implement per user salting. A response by Dave Sherohman provided a good overview as to why using random salts (instead of just using the user's username) is a good idea. If you've been…
-
Be careful of “scheme relative urls” when performing 3xx redirects
Former coworker Sacha Faust has published an entry on how the lack of handling relative urls when implementing URL redirection can lead to open redirector's. Article: http://blogs.msdn.com/sfaust/archive/2010/03/30/saferedirect.aspx
-
Secure Application Development on Facebook Platform
Facebook and isecpartners have teamed up to write an article on developing secure applications on the Facebook platform. "This document provides a basic outline/best practice for developing secure applications on the Facebook platform. Facebook applications are web, desktop, or mobile applications that make use of the Facebook API to integrate tightly with the social network…
-
Announcement: WASC Threat Classification v2 is Out!
I am very pleased to announce that the WASC Threat Classification v2 is finally out the door. This project has by far been one of the most challenging, intellectually stimulating projects I've had the chance to work on. I have included the official announcement below. "The Web Application Security Consortium (WASC) is pleased to announce…
-
Adobe on Fuzzing Adobe Reader For Security Defects
Adobe has published an entry on their blog outlining how fuzzing plays a part in discovering security issues in their product prior to launching it. Its good to see a company such as Adobe publishing this information as its one of those things that is discussed frequently by the security community, however is rarely discussed…
-
Preventing Security Development Errors: Lessons Learned at Windows Live by Using ASP.NET MVC
Microsoft has published a paper on its ASP.NET MVC framework, how to use it, and how utilization of an SDL eliminates the potential to introduce vulnerabilities such as XSRF. From the paper "On the Microsoft platform, most Web applications are based on ASP.NET and the Microsoft®.NET Framework. ASP.NET MVC is a new framework based on…
-
Microsoft’s Enhanced Mitigation Evaluation Toolkit adds protection to processes
Microsoft has published the Enhanced Mitigation Evaluation Toolkit. This toolkit allows you to specify a process to add the following forms of protection (without recompiling). SEHOP This mitigation performs Structured Exception Handling (SEH) chain validation and breaks SEH overwrite exploitation techniques. Take a look at the following SRD blog post for more information: http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx. With…
-
WASC TC v2 – Improper Input Handling Section Completed
I lead the WASC Threat Classification v2 project and we've just completed a section that I felt deserved its own post. Prasad Shenoy along with the WASC TC peer review team authored a really great section on Improper Input Handling meant to describe each aspect of input handling with a medium level of detail. We've…
-
Strict Transport Security (STS) draft specification is public
Fellow coworker Jeff Hodges has announced the formal specification draft for Strict Transport Security. STS is a new proposed protocol for allowing a website to instruct returning visitors to never visit the site on http, and to only visit the site over https and is entirely opt in. This can prevent MITM situations where an…
-
Article: Bypassing DBMS_ASSERT in certain situations
David "I like to beat up on oracle" Litchfield has published a new paper outlining how DBMS_ASSERT can be misused in such a way that SQL Injection is possible. From the whitepaper "The DBMS_ASSERT builtin package can be used by PL/SQL developers to protectagainst SQL injection attacks[1]. In [2] Alex Kornbrust showed that there are…
-
WASC Threat Classification 2.0 Sneak Peek
Here is a sneak peek at the WASC Threat Classification v2.0. We’ve been working on this for more than a year and it’s been a very challenging, educational experience to say the least. Sections that are gray are currently in peer review and are not completed. Mission statement “The Threat Classification v2.0 outlines the attacks…
-
Fuzzware 1.5 released
"Fuzzware is tool for pen-testers and software security testers that isdesigned to simplify the fuzzing process, while maximising the fuzzingquality and effectiveness. Fuzzware is adaptable to various testingscenarios (e.g. file fuzzing, Web Services fuzzing, etc), gives you finegrain control over the fuzzing techniques used and ensures any interestingtest cases are captured and reproducible. For more…
-
Session Attacks and ASP.NET – Part 2
"In Session Attacks and ASP.NET – Part 1, I introduced one type of attack against the session called Session Fixation as well as ASP.NET’s session architecture and authentication architecture. In this post, I’ll delve into a couple specific attack scenarios, cover risk reduction, and countermeasures." Read: https://blogs.sans.org/appsecstreetfighter/2009/06/24/session-attacks-and-aspnet-part-2/
-
Session Attacks and ASP.NET – Part 1
Sans has published part 1 of an article discussing Session Fixation attacks against .NET applications. "I’ve spent some time recently looking for updated information regarding session attacks as they apply to ASP.NET and am still not completely satisfied with how Microsoft has decided to implement session management in ASP.NET 2.0+ (haven’t looked at 4.0 beta…
-
Article: ‘Setting the appropriate security defect handling expectations in development and QA
I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a rather difficult task. As…
-
Microsoft bans Memcpy() in their SDL program
"Memcpy() and brethren, your days are numbered. At least in development shops that aspire to secure coding. Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later…
-
Gap Analysis of Application Security in Struts2/WebWork
"The purpose of this paper is to discover what features and capabilities, if any, the Struts2/WebWork(hereafter referred to simply as Struts2) development team could add to increase the security ofapplications built with Struts2. The version analyzed was version 2.1.6, which was the latest versionavailable when the project was started. The purpose of this research is…
-
OAuth Session Fixation Security Flaw Discovered
From the advisory "The attack starts with the attacker logging into an account he owns at the (honest) Consumer site. The attacker initiates the OAuth authorization process but rather than follow the redirect from the Consumer to obtain authorization, the attacker instead saves the authorization request URI (which includes the Request Token). Later, the attacker…
-
Improving Security with URL Rewriting
"Most web application security experts frown on the practice of passing session or authentication tokens in a URL through the use of URL rewriting. Usually these tokens are passed between the server and the browser through HTTP cookies, but in cases where users configure their browsers to not accept cookies, this is impossible. Some web…
Favorite Links
- Security Templates (New)
- The Web Application Security Consortium
- QA Security
- The Web Security Mailing List
- Romain Gaucher’s Blog
- Jeremiah Grossman’s Blog
Popular Pages
WASC Threat Classification
- Abuse of Functionality
- Application Misconfiguration
- Brute Force Attack
- Content Spoofing
- Credential/Session Prediction
- Denial of Service
- Directory Indexing
- Information Leakage
- Remote File Inclusion Attack
- Routing Detour Attack
- SOAP Array Abuse
- XML Attribute Blowup
- XML Injection
- XML External Entity Attack